[opensuse] best practices? setting up simple opensuse for newbie (sudo/kdesu and passwords, autoupdates)
i am no desktop user of linux, so this is rather new to me, i have always been using linux for many years on server side and console. want to give an easy opensuse system to a friend, a total computer newbie themselves. so i installed opensuse 11.4, install process created one user, that users pass did not become the roots pass. simple kde desktop. question is about how to configure opensuse the most simple but still secure way, so that this normal useraccount can do all the onlineupdates and isnt bothered with multiple passes such as root and their own for configuration if once needed. i thought about sudo and kdesu (and found some kderc or such config file in the users homedirectory) which would allow for using the users passwords instead of the rootpassword. only there seems to be some weird app on the kde desktop that comes up from time to time and says that it needs root password for proxy configuration and all that, although nobody is using a proxy anywhere, its some packagekit or such app, and i am rather confused as i have only known about that yast2 online_update module or some other kind of kde notifyer symbol, and this 11.4 system seems to have two distinct things here, the packagekit is the one that creates the problems and hassle. also it sometimes hogs and blocks the system and even zypper up and so on cant progress because of package blocking rpm database or such stuff. anyways, so what is a good way of giving a simple opensuse system to a newby enduser for simple desktop usage, so that a rootpassword is never being needed for the user, but the user should supply their own password once more instead to be able to execute the administrative tasks. or is there any better way to configure a secure and simple desktop for newbie users without confusing them too much? maybe i am too confused and trying too complicated things and there are more elegant ways. thanks. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Le 22/11/2011 12:07, cagsm a écrit :
want to give an easy opensuse system to a friend, a total computer newbie themselves.
I do this on a regular basis
so i installed opensuse 11.4, install process created one user, that users pass did not become the roots pass. simple kde desktop. question is about how to configure opensuse the most simple but still secure way, so that this normal useraccount can do all the onlineupdates and isnt bothered with multiple passes such as root and their own for configuration if once needed.
better not I setup packman, install all the updates, mp3, lidvdcss and dvd readers (vlc, ffmpeg, mpenc...) and that's all. No updates. I know of many such users. The risk of not making updates is less than the risk of giving them the root pass. I just instruct them to copy important files to flash key or cd. I even have a user (my daughter that do not want to go out of old distro (11.2?) because she do not want to lose his setup. Never any problem. I change system when I change computer. As usually this is done on old hardware I don't pay (often mine when I buy a new one), I can renew it each 2/3 years
anyways, so what is a good way of giving a simple opensuse system to a newby enduser for simple desktop usage, so that a rootpassword is never being needed for the user, but the user should supply their own password once more instead to be able to execute the administrative tasks. or is there any better way to configure a secure and simple desktop for newbie users without confusing them too much? maybe i am too confused and trying too complicated things and there are more elegant ways.
add it's name in /etc/sudoer jdd -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 22/11/11 12:07, cagsm wrote:
i am no desktop user of linux, so this is rather new to me, i have always been using linux for many years on server side and console.
Me too. I only discovered linux desktop last year.
anyways, so what is a good way of giving a simple opensuse system to a newby enduser for simple desktop usage, so that a rootpassword is never being needed for the user, but the user should supply their own password once more instead to be able to execute the administrative tasks. or is there any better way to configure a secure and simple desktop for newbie users without confusing them too much? maybe i am too confused and trying too complicated things and there are more elegant ways.
thanks.
Ubuntu uses the method you describe by default. In opensuse you can choose to do it when you install it. It explains it here: http://en.opensuse.org/SDB:DVD_installation_for_11.4#Step_4:_Create_the_prim... HTH L x -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Tue, 22 Nov 2011 12:38:27 +0100
lynn
On 22/11/11 12:07, cagsm wrote:
i am no desktop user of linux, so this is rather new to me, i have always been using linux for many years on server side and console.
Me too. I only discovered linux desktop last year.
anyways, so what is a good way of giving a simple opensuse system to a newby enduser for simple desktop usage, so that a rootpassword is never being needed for the user, but the user should supply their own password once more instead to be able to execute the administrative tasks. or is there any better way to configure a secure and simple desktop for newbie users without confusing them too much? maybe i am too confused and trying too complicated things and there are more elegant ways.
thanks.
Ubuntu uses the method you describe by default. In opensuse you can choose to do it when you install it. It explains it here:
http://en.opensuse.org/SDB:DVD_installation_for_11.4#Step_4:_Create_the_prim...
HTH L x
Thanks for the tip, Lynn, and the link! Carl -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Tue, Nov 22, 2011 at 12:53, Carl Hartung
On Tue, 22 Nov 2011 12:38:27 +0100 lynn
wrote: On 22/11/11 12:07, cagsm wrote:
i am no desktop user of linux, so this is rather new to me, i have always been using linux for many years on server side and console.
Me too. I only discovered linux desktop last year.
anyways, so what is a good way of giving a simple opensuse system to a newby enduser for simple desktop usage, so that a rootpassword is never being needed for the user, but the user should supply their own password once more instead to be able to execute the administrative tasks. or is there any better way to configure a secure and simple desktop for newbie users without confusing them too much? maybe i am too confused and trying too complicated things and there are more elegant ways.
thanks.
Ubuntu uses the method you describe by default. In opensuse you can choose to do it when you install it. It explains it here:
http://en.opensuse.org/SDB:DVD_installation_for_11.4#Step_4:_Create_the_prim...
HTH L x
Thanks for the tip, Lynn, and the link!
Carl -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Just to clarify, the docs say: "By default, the system is set to use this password for the system administrator (also known as root)." So the behavior requested by the original poster is the *default* behavior for a _single_ user install. If an openSUSE 11.4 install is asking for a root password, then either the check box was cleared on installation, or it is a multi-user system. The first user defined will have a shared user/root password, and subsequent users will have their own password that is NOT linked to the root password. C. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Tue, Nov 22, 2011 at 12:58 PM, C
Just to clarify, the docs say: "By default, the system is set to use this password for the system administrator (also known as root)." So the behavior requested by the original poster is the *default* behavior for a _single_ user install. If an openSUSE 11.4 install is asking for a root password, then either the check box was cleared on installation, or it is a multi-user system. The first user defined will have a shared user/root password, and subsequent users will have their own password that is NOT linked to the root password.
well, i un-selected that option, so root has a distinct password from the single other normal user created durng setup process. i wonder if i am thinking things too complcated. i thought the sudo and related stuff were good things as the logfiles would contain information when the normal user executes the administrative tasks this way, but not needing to memorize a second root password nor jeopardizing the root account with too silly or stupid passwords. even if the normal user has a silly or smallish password it would still be needed to supplied over again if an administrative task is needed to be started. that was the idea of that kde-config file i found in some faq or wiki entry and the sudo/kdesu method. my main problem was so far that this additional stupid applet or whatever it is this packagekit or so still asks for roots password and i fail to understand why there is this packagekit way of getting onlineupdates, then the yast2 gui way which i used to knew until now. they dont seem to be identical. the yast2 obeys the users password via kdesu/sudo packagekit needs root and is additionally seemingly only asking for some proxy configutation nobody seems to have triggered anyway in the first place. sigh :( can i simply uninstall packagekit madness, or what is the bestpractices on the kde desktop for the suse updates? on the bug mailinglist and elsewhere i also read about this proxy question annoyance even in 12.1, so there seems to be something wrong there. about the password/installtime stuff: why set root and firstusers password to the same? that doesnt sound sane to me, does it? thanks. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Tue, 22 Nov 2011 12:07:39 +0100
cagsm
maybe i am too confused and trying too complicated things and there are more elegant ways.
Give them a Live CD / DVD to 'get their feet wet' then a normal installation, in a few weeks or months, when they're ready for one. I'd avoid anything 'exotic' especially when it comes to trying to support 'newbies'. regards, Carl -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
cagsm said the following on 11/22/2011 06:07 AM:
[snip]
i thought about sudo and kdesu [snip]
It sounds like you have realistic concerns about security. I would advise one of the following. 1. Don't be obsessively concerned about updates. This isn't MS-Windows. If you are running the firewall then Linux, ipso facto, overcomes the greatest problem home MS-Windows has, that a regular user has admin power and so can be conned into installing malware. If you think it matters, visit the user and do the update yourself. 2. 'sudo' and its bretheren are a good idea. You can delegate a limited amount of root power. Set it up so the user can only run 'zypper up' as root from a console, Konsole or xterm. Write out the instructions. Don't explain, just "do this". They don't need to know what's under the hood. They probably don't need to do this vrey often anyway. 3. Hack PAM. I tried this once so that I could kdesu to the specific yast module to do an update. I forget the details. You can do it for gnome as well. I don't advise hacking PolicyKit. It may seem PolicyKit gets in the way of a lot of things, but in the end what it comes down to is that PolicyKit is right and you need to look at it from the other end. -- Wisdom consists in being able to distinguish among dangers and make a choice of the least harmful. -- Niccolo Machiavelli, The Prince -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Tue, 2011-11-22 at 09:47 -0500, Anton Aylward wrote: > cagsm said the following on 11/22/2011 06:07 AM: > > [snip] > > i thought about sudo and kdesu > > [snip] > It sounds like you have realistic concerns about security. > I would advise one of the following. > 1. Don't be obsessively concerned about updates. > This isn't MS-Windows. If you are running the firewall > then Linux, ipso facto, overcomes the greatest problem home > MS-Windows has, that a regular user has admin power and so > can be conned into installing malware. > If you think it matters, visit the user and do the update yourself. +1 I'm a professional sys-admin; other then after initially installing a new release I update at most once a month. I pick a time when I don't *NEED* my computer to work for a day and I perform updates. That way if things break I have an opportunity to address the issue. There is very rarely a need to jump on an update - a scary issue will usually make the 'news' on sites like LWN [or better you can track security issues via RSS from various sites]. In the case of a new release it is usually a good idea to closely track updates for a few weeks - as these are often closing bugs and fixing issues at a rapid clip. Later updates are often more boring and frequently about obscure security issues - security issues are often related to *if* you use a component/service as well as *how* you use it. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Tue, 2011-11-22 at 09:47 -0500, Anton Aylward wrote:
cagsm said the following on 11/22/2011 06:07 AM:
[snip] i thought about sudo and kdesu [snip]
It sounds like you have realistic concerns about security. I would advise one of the following. 1. Don't be obsessively concerned about updates.
This isn't MS-Windows. If you are running the firewall then Linux, ipso facto, overcomes the greatest problem home MS-Windows has, that a regular user has admin power and so can be conned into installing malware. If you think it matters, visit the user and do the update yourself.
+1
I'm a professional sys-admin; other then after initially installing a new release I update at most once a month. I pick a time when I don't *NEED* my computer to work for a day and I perform updates. That way if things break I have an opportunity to address the issue. There is very rarely a need to jump on an update - a scary issue will usually make the 'news' on sites like LWN [or better you can track security issues via RSS from various sites].
In the case of a new release it is usually a good idea to closely track updates for a few weeks - as these are often closing bugs and fixing issues at a rapid clip. Later updates are often more boring and frequently about obscure security issues - security issues are often related to *if* you use a component/service as well as *how* you use it. There is an issue currently with the way Policy Kit handles the NetworkManager
On Tuesday, November 22, 2011 09:51:37 AM Adam Tauno Williams wrote: though since 12.1 forces you to give it root anytime you want to connect to a new network. There is a bugzilla open on that showing the change you need to fix that. -- Roger Luedecke openSUSE Ambassador Ind. Repairs and Consulting **Looking for a C++ etc. mentor*** -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
linux aint msft windows? thats why i dont need timely updates? this logic doesnt make sense to my security needs. silly firefox devcycles alone make it neccessary to upgrade very frequently the mozilla packagery alone, and even before their high paced release cycles, their countless security bugs and their more inexcusable chemspill re-releases are just a simple example. not even to speak about all the security risks in other softwares. maybe you are taking software updates and risks too lightly. just because you think microsoft is a security mess, doesnt mean linux is heaven. quite the contrary. you cant let especially noob users on virgin linux installations without patches, thats just insane. so it apparently boils down to to give a single password to both root and this one normal user i create and set everything to automatic (updates). the user will probably be still be bothered with password popups, and saving a password in all these password dialogboxes doesnt sound right either in terms of security, once there will be exploits and other problems on these un*x platforms as well. normal un*x users dont operate as root and are very clearly and thoroughly separated from the root account and all its possibilities. so when using the same passwords everywhere and saving passwords creates a situation of complete insecurity i think.
1. Don't be obsessively concerned about updates. This isn't MS-Windows. If you are running the firewall then Linux, ipso facto, overcomes the greatest problem home MS-Windows has, that a regular user has admin power and so can be conned into installing malware.
i am still undecided if i stick with this already installed 11.4 or if i should give 12.1 a try, but the many bugreports and even only looking at the mostannoyingbugs of it gives me the creeps. it seems that just about each and every new (open)suse release is ridded with crazy bugs and showstoppers and just almost noone seems to care and things still get released into the wild as final releases. what i have never liked about opensuse is that there are never revisions of the released products, once very nasty bugs are fixed, the debian folks release r1, r2 and so forth, but the opensuse isos and repositories never get packaged and bundled into a fixed and updated revision. i am thinking about the many mdraid/dmraid/kernel and other bugs and real showstoppers of the past opensuse releases of which many of these bugs landed on the mostannoying area but never ever was a re-release or a revision-release considered. i also read about suggestions and attempts to make the suse release cycle into considering these re-releases with most important fixes and many people with bootloader, kernel and these disk and upgrade scenario bugs asked for better and more thorough testing. for example i also have never experienced a flawless opensuse release with the even most simple basic configuration in terms of upgradeability. i am always trying to install a release for example 11.4 clean when a new release appears, for example this 12.1 and try a simply for example dvd-media mased upgrade procedure. single useraccount, single e.g. sata disk, single partition, nothing special at all. i have never come across a clean and flawless upgrade result. opensuse always fails on a very basic and easy upgrade scenario. its clear to me that the opensuse people dont consider upgrades important enough. everybody thinks that the world starts just about new after every release. its a shame. i remember when suse had trouble upgrading when you had separate partitions for var or logs, when there were complete showstoppers when you had some -pae or non-pae kernel or so and upgraded to the next suse release it would just die, then the zypper disaster one release ago or such stuff i have read about, then people unable to create and keep simple raid1(mirror) configs with two simple physical disks and mirroring every partition from one disk to the other and upgrading those systems, opensuse still cant handle these things to this date if i am up to date with all those endless bug listings on their bugzilla. . -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
* cagsm
its clear to me that the opensuse people dont consider upgrades important enough. everybody thinks that the world starts just about new after every release. its a shame.
i remember when suse had trouble upgrading when you had separate partitions for var or logs, when there were complete showstoppers when you had some -pae or non-pae kernel or so and upgraded to the next suse release it would just die, then the zypper disaster one release ago or such stuff i have read about, then people unable to create and keep simple raid1(mirror) configs with two simple physical disks and mirroring every partition from one disk to the other and upgrading those systems, opensuse still cant handle these things to this date if i am up to date with all those endless bug listings on their bugzilla.
yet here you are. There are many distributions of linux available for you to choose, or are you really just *trolling*. note: I wear flame-retardent-underware. -- (paka)Patrick Shanahan Plainfield, Indiana, USA HOG # US1244711 http://wahoo.no-ip.org Photo Album: http://wahoo.no-ip.org/gallery2 http://en.opensuse.org openSUSE Community Member Registered Linux User #207535 @ http://linuxcounter.net -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Friday, November 25, 2011 01:06 PM cagsm wrote: [snip] Wow, I began to respond to sections of your long post (aka rant) which goes rather afield of your original post, but decided to just snip it. A few comments (with occasional tongue in cheek, no offense meant): Since you are understadably concerned about stability, why not just wait a short while - a month is usually sufficient - before installing or upgrading to 12.1? Is there something in 12.1 that is so urgent that it requires you act immediately? For a brand new user, it may indeed be better to either wait a bit or use 11.4, which I find works exceptionally well (more to the point, so does my militantly anti-technical wife; her's is a much stronger endorsement). Or give 12.1 a try, evaluate the serious bugs list from the perspective of what if any effect they may have on your user (doubful he'll care about systemd as long as it works), and then decide. As far a security patches, I find the openSUSE security bug fix policy to work quite well. It's been ~10 years now, and while on very rare occasion a patch has itself created a problem, I can't remember reading of anyone actually being bitten by a security breach because a patch was too late. Not saying that it hasn't happened (my memory isn't what it used to be) but if it were to any meaningful extent, wouldn't alarms be ringing from everywhere? So I checked one of my 11.4 machines that I'm not as mindful with as I should be for patches; it hasn't been patched for more than 2 months. And omigod there are 20 patches! Interestingly, all are upstream with about half from commercial outfits like Mozilla, Adobe, and Oracle, etc. I'm not positive, but I can't recall hearing much about stack overflow exploits in perl or pam or etherape or wireshark. I guess I'm just lucky. This is not to minimize security patches for browsers at all (and this is where I differ from our colleague who suggests a firewall is sufficient). Browsers are the most common and serious attack vector for sure, and many of these exploits are OS agnostic. But the reason for all the complaining here about Mozilla escapes me. Is there a suggestion? Is there something else *we* should be doing? And I regret all the heartburn over your problems with upgrades. I'm first to admit that it may take me several hours to work out package incompatibilities, I cursed when no one mentioned that libata was changing "h" to "s", and I still won't allow an upgrade to reinstall the boot loader. But thankfully, besides the extra time and invariable unpleasant upgrade surprise here and there, I've never lost any of my arrays or anything else for that matter. Like I said, just lucky I guess. Now, as far as your original, specific question/concern: If you choose to use 11.4 or 12.1 still has the updater problem, disable the applet. Then to do regular patch updates you can: Show your user how to use Online Update. A couple clicks. Admittedly s/he won't know what the patches actually mean, but some folks like to see what's going on (especially if something breaks later). Some Windows users (IME the smart ones) actually look at the patches MS pushes rather than taking everything automatically (and then wondering later what broke the machine). Or, how about a simple script which uses sudo and zypper to patch? Put it on the desktop with the icon & title of your choice. Your user clicks on it and that's it. Or, how about setting up that same script in the KDE Task Scheduler (cron), to run automatically whenever you want? Finally, re the root vs user password. I also don't like using the same password for both. The approach I would take would depend on how often your user is likely to need to use root and what for. If /she is going to be using it a lot, the Ubuntu sudo approach IMO becomes pointless, since it can be used for anything root and the user often has to open a terminal as well. If a user needs root privilege frequently for different functions, there should be a very good reason and IMO this is not for beginners. But if your user will use root infrequently, such as just to install new software, then sudo with krunner (or a little yast-software startup desktop shortcut like above) might be a good option. Or you can go the Windows route (where Administrator is not in fact root), create an actual Administrator user, and set it up to do the few things your user needs that priviledge to do. Flexibility is your friend, and it's pretty much a one-time thing. Hope that helps. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Friday, November 25, 2011 04:15 PM Dennis Gallien wrote:
On Friday, November 25, 2011 01:06 PM cagsm wrote:
In the interest of accuracy, and to be fair, I should correct my previous post. I referred to 20 "patches", when in fact there are 20 "updates", many of the updates containing multiple patches. That said, I still maintain that the project's patch policy has overall worked well. Sorry about being sloppy with the terminology. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (10)
-
Adam Tauno Williams
-
Anton Aylward
-
C
-
cagsm
-
Carl Hartung
-
Dennis Gallien
-
jdd
-
lynn
-
Patrick Shanahan
-
Roger Luedecke